Skip to main content

tv   Key Capitol Hill Hearings  CSPAN  November 12, 2014 7:30am-9:31am EST

7:30 am
recently about the nsa working part-time. >> there've been reports recently about employees in the nsa working part-time and some former employees going on to the private sector. how is that affecting the morale in the nsa and is there any concern about that particular relationship and classified information sort of jumping from within the borders of the nsa. >> we have processes that must be applied when individuals are going to do something in addition. we do that consistently over time and window circumstances change, what was acceptable at one point we say it's not acceptable. to change the nature of the relationship is different so we do that in a recurring basis. with the language background of background they say look i want to use my language outside nsa on a contractor basis because i
7:31 am
think that it will increase my skills and so we would say yes that makes sense and sometimes we don't. in terms of the flow of partnerships and information back and forth, i've been very public about saying for the national security agency i would like us to create a model where the members of our workforce don't necessarily spend 30 or 45 years working directly for us which has been made historic norm. it's amazing when i say tell me how long you've been with the nsa. 30, 35 years, 38 years. i said goodbye to an employee after 50 years. when i've talked about is particularly given the state of the technology, we have to create a world where evil from nsa can leave for life and work in the private sector provides also like to create a world where does private sector can come spend a little time with us because one of the challenges is the nation that we are dealing with and you have seen this play
7:32 am
out over the last year or so in particular. we talk past each other a lot because we don't understand each other. the culture and experience isn't optimized to understand the concerns many of which are very valid from the it corporate partners and likewise many of the individuals that work in the corporate world don't have an understanding of us and i would like to see what we can do to change that because i think it will prove better outcomes for both of us and serve us better as a nation. so thank you very much. >> thank you for your time and all that you do. we look forward to working with your team and hope you will come back. >> let me conclude i thank you for taking the time from the very busy personal and professional lives to be part of a dialogue. it won't be just today, tomorrow, next month that being part of the dialogue to address
7:33 am
and i would argue for our friends and partners all over the world cyber doesn't recognize geographic boundaries very well so the idea that we are going to deal with this in america for example i don't think that is a winning strategy it starts with a willingness to have a dialogue. and i'm starting from the position of you were in the private sector and all about money so i don't know that i can trust you like a military. or the private sector says you work for the government and i don't know that we can really trust you. that isn't going to get us where we need to be as a nation. that isn't going to provide the protection that our society whether the private sector, government or for us as private individuals that isn't going to generate the outcomes that we
7:34 am
need. this is a team sport that will take all of us and it starts with an open relationship and a willingness to be open with each >> both the house and the senate return today at two p.m. eastern. the house is scheduled to debate ten bills including updating the presidential records act which will allow current and former u.s. presidents to continue to restrict access to certain records created during their time in the white house. the house republican conference will also hold leadership elections on thursday. and democrats have reportedly scheduled theirs for november 18th. in the senate votes are expected on judicial nominations. off the senate floor, senate republicans and democrats will both hold leadership elections, voting for the next majority and minority leaders on thursday. watch the house live on c-span and the senate on c-span2.
7:35 am
>> because of the recess at the house of commons, prime minister's questions will not be seen today and returns live next wednesday, november 19th, at seven a.m. eastern here on c-span2. >> the c-span cities tour takes booktv and american history tv on the road, traveling to u.s. cities to learn about their history and literary life. and this weekend we partnered with charter communications for a visit to madison, wisconsin. >> time is work for everyone. the community's large. it is a glorious service. this service for the country. the call comes to every citizen. it is an unending struggle to make and keep government representative. >> bob la follette is probably the most important political figure in wisconsin history and
7:36 am
one of the most important in the history of the 20th century in the united states. he was a reforming governor. he defined what progressivism is. he was one of the first to use the term "progressive" to self-identify. he was a united states senator who was recognized by his peers in the 1950s as one of the five greatest senators in american history. he was an opponent of world war i, stood his ground advocating for free speech. above all, bob la follette was about the people. in the era after the civil war, america changed radically from a nation of small farm ors and small producers and -- farmers and small producers and small manufacturers, and by the late 1870s, 1880s, 1890s, we had concentrations of wealth, we had growing ip equality --
7:37 am
inequality, and we had concern about the influence of money in government. so he spent the later part of the 1890s giving speeches all over wisconsin. if you wanted a speaker for your club or group, bob la follette would give a speech. he went to county fairs, every kind of event that you could imagine and built a reputation for himself. by 1900 he was ready to run for governor advocating on behalf of the people. and he had two issues. one, the direct primary. no more selecting candidates in convention. two, stop the interests. specifically, the railroads. >> watch all of our events from madison saturday at noon eastern on c-span2's booktv and sunday at two on american history tv on c-span2. c-span3. >> now, the u.s. chamber of
7:38 am
commerce cybersecurity summit continues with assistant attorney general for national security john carlin who speaks about the government's efforts in combating cyber threats. his remarks are 25 minutes. [applause] >> well, thank you, anne, for your warm introduction and forf inviting me to your annual cybersecurity summit. we all benefit greatly from your leadership, especially inespe promoting the chamber ofthe commerce's role in national security. in englishing an annual gathering focused on cybersecurity challenges, the chamber of commerce continues to demonstrate its commitment to keeping our nation secure and to lowering barriers for american businesses to compete fairly in our global economy. the fact that this is your third annual cyber security summit is a testament to the growing magnitude of these threats and your commitment to make
7:39 am
cybersecurity central to the business plans. this is an important business issue and one that i know the chamber has exercised as a part of its national cyber security awareness campaign which kicked off in may. in the campaign roundtable events that occurred throughout the country the chamber stressed the importance of the cyber risk management and reporting cyber incidents as to the law enforcement. i couldn't agree with these two recommendations more. today's event is our opportunity to discuss how we can take the steps and others to best protect ourselves and to the nation. cyber security threats affect us all and they affect our privacy for our, our safety command our economic vitality. they present collective risk and disrupting them is our collective responsibility. the attackers we face range and sophistication, and when it comes to the nation states and terrorists, it isn't fair to let the private sector face these
7:40 am
threats alone. the government ought to help. we do and we need to do more. at the national security division we focus on tackling cyber threats to the national security. in other words those posed by terrorists and nationstates. i will talk a little bit later about how we have restructured the division to focus on bringing all tools to bear against these threats. likewise, chamber members have an important role to play in our strategy. you've are looking for the consequences living through the consequences with alarming frequency. according to brookings and 97% of the fortune 500 companies have been hacked. price water cooper house released a report that found the number of detected cyber attacks in 2014 increased 48% over 2013. as fbi director james comey noted there are two companies in america those that have been
7:41 am
hacked and those that don't know that they have been hacked. so we are on notice and we are all targets. i would venture to say that everyone in this room has been affected by a cyber security breach. at best a minor inconvenience, reissued credit card, at worst a devastation to the company's reputation, loss of customer trust and injury to your bottom line. without taking proper steps it is a question of when and not if the public major breach will occur. with that will come questions about whether you did enough to protect your company, your customers and your information. have you thought ahead to the day when you will have to face your customers, employees, board and shareholders when you have to notify them that somebody has infiltrated your company installing your most valuable and private information?
7:42 am
if that day was today could you tell them that you've done everything in your power to protect your company's future? had you warned them of the risk would you be able to say that you have minimized the damage? do you have a plan? it is a daunting scenarios that there is no surprise that surveys of the general counsel around the country identified the cybersecurity as the number one issue on their minds today at the surveys also show that over a quarter of the fortune 500 companies still don't have an established response to the cyber intrusions. this is a risky business and we know that we will never achieve the defenses that will remain vulnerable. but you can take step is to mitigate the risk, protect yourselves and companies and ultimately the cybersecurity of the united states. we've identified for each
7:43 am
central components of the corporate cyber risk management. first, he quit and educate your self and make sure that you have a comprehensive cyber incident response plan and review it. i've spoken with many ceos and councils that have not reviewed or cannot decipher their companies plan. these are risk management decisions and we can't manage the corporate risk if we don't understand it. who is involved and who needs to be notified in a major breach and what will you disclose and when will you notify the client, while enforcement and the public? second, note that your contacts create risk. actors can exploit outside vendors no matter how easily and your defenses may be unique to
7:44 am
worry about those outside the company that you do business with and consider guidelines to govern the access to your network and ensure that the the contracts require vendors to adopt appropriate cybersecurity practices. third, protect your bottom line. companies are increasingly considered on cyber insurance and you should consider how this may fit into your risk management strategy. cyber insurance may offer some financial protection and also incentivized companies to audit the defenses. finally do not go it alone. some of our attackers are linked to deep face military budgets and resources and when they are it is not a fair fight to take on the loud. we must work together so it can be one more complaint of the risk management strategy. as more breaches are acknowledged, the public will ask how quickly and effectively you responded and asked leaders will have to answer to the shareholders, board members,
7:45 am
customers, the media and the public. you will want to say that you did everything you could to mitigate your financial loss and your reputation will depend on it and we can help. we may be able to take actions to disrupt and detour. you are on the frontline of the battles but we are with you. we are committed to working with you to protect the networks can identify the perpetrators, disrupt their efforts and hold them accountable. at the department of justice this is among our top priorities. at the national security division we recently appointed new senior leadership to strengthen our capacity to protect our national assets from cyber attacks and economic espionage. we created and trained the nationwide national security cyber specialist networks to focus on combating cyber threats to the national security.
7:46 am
these are specially trained prosecutors and every attorney's office across the country. and as the doj we will follow the facts and evidence where they lead weather to a disgruntled employee or a loan hacker to a syndicate in russia or yes even a uniformed member of the chinese military. indictments and prosecutions are a public and powerful way to which we the people governed by the rule of law legitimizing to prove your allegations. as attorney general holder said it may enough is enough. we are aware of no nation that publicly states the information or commercial gain is acceptable and that's because it's not. nevertheless in the shadows so me and coverage and support corporate theft for the propagandist ate owned enterprises and we will continue
7:47 am
to denounce those actions including by bringing criminal charges and we won't stop until the crimes stop. a core part of the response must be disruption and deterrence to raise the cost to people that commit these and to detour others from emulating their actions. of course we recognize that the justice system is just one tool in our toolbox and in addition to prosecution we are working in conjunction with partners to explore how to play the designations and other options to confront the challenges. these changes help us fulfill our responsibility and help us work with you because we rely on cooperation to bring the cases from identifying the malware and its functions to pinpointing the location of the servers come in demanding botnets and removing
7:48 am
the malicious software from computers. take as one example last spring's takeover of that description a big success for our colleagues in the criminal division. this wouldn't have been possible without close cooperation. as the fbi put it, it was the largest fusion of law enforcement and industry partnerships ever undertaken in support of the fbi's cyber operation. across the international boundaries and affected hundreds of thousands of innocent users computers. we recognize one of the best ways to protect the nation is to support you in your efforts. that's why he and 2013 that federal agents involved over 3,000 companies that their computer systems were hacked and that they are working to provide the additional information as much as they can about the who and the how and every day the
7:49 am
fbi works with companies targeted by the activity ranging from the low-tech denial of service to the sophisticated intrusions by state-sponsored military support units. we are not limited to helping in the aftermath of an intrusion nor do we see our role as only a collector of information we also share sensitive information with you so you can defend against the attacks and engage in the disruption efforts. in the past year alone the fbi presented over 3,000 -- three dozen specific briefings to companies like yours. the information we share may enhance your ability to detect future intrusions into your engagement with law enforcement can help connect the dots between your breach and a broader threat. we may be able to help identify what was stolen, locate the perpetrator of the attack and in
7:50 am
certain cases mitigates the effect of the past intrusions. given the importance of the cooperation the department of justice is committed to lowering barrier of sharing information through extensive meetings which are in-house legal teams and learn what you perceive to be the hurdles to the cooperation and we are working to address them as we can. we clarified certain laws and antitrust statutes are not impediments to sharing information with the government. we understand trust on both sides is an essential predicate and about our work with you we've been striving to protect the sensitive data including trade secrets, detailed of the architecture and the personally identifiable information. the bottom line we can help you manage your risk and you can help us keep our nation safe.
7:51 am
the commission concluded recently in its ten year anniversary report that we are at september 10 levels and preparedness and they warned that history may be repeating itself in the cyber realm. we must stand together to keep that from happening. we also prepare ourselves for data that we can see coming over the horizon. if we think about the tools for cyber criminals use, the intrusion software affecting millions of computers, botnets used by criminal actors the tools are generally used for financial gain but it doesn't take much imagination to imagine these tools can also be used to disrupt or destroy. terrorists have stated that they want to exploit the vulnerabilities to harm our way of life.
7:52 am
al qaeda announced its intent to conduct civilian attacks in the financial system. in the department of homeland security, recently confirmed that the investigating the two dozen cybersecurity medical devices and hospital equipment that could be exploited to injure or kill a patient with a few strokes on a keyboard. the threats are real. we know the terrorists have the intent to acquire the cyber capabilities and that if they succeed in acquiring them that they won't hesitate to deploy them. it's a race against time and one with high-stakes consequences. if the department for also looking at the gaps. most were not written with cyberspace in mind and they don't contemplate the access of the extraterritorial crimes. they don't facilitate the multijurisdictional and they don't empower us to bring the
7:53 am
authority to bear swiftly and effectively. we are committed to working with the relevant law or rule makers that support not a rising of the law. the cyber legislation in several areas including information sharing is needed. i want to conclude my remarks by discussing the perceptions of being hacked. among the consumers there is a growing understanding that companies are going to get breached but that doesn't mean we turn the other way. there is a downside to taking the approach to the cyber threat. consumers expect companies will adopt industry standards and when these intrusions happen as we see the consumers expect companies to respond promptly and acknowledge the intrusion publicly and cooperate with law enforcement to mitigate the damage. the chamber of commerce and its members are uniquely positioned to drive the corporate change to ensure that the companies and
7:54 am
partners treat the cyber breach as much as technical problems come into recognize that security operations are not insulated from the business operations and to discuss to the boards and employees and industries the importance of cyber security risk management. as we face ever more threats in cyberspace which incorporate the public-private cooperation into the toolkit the threats are not but threats are not letting up and neither should we. thank you very much for inviting me. questions for mr. carlin? >> lefty rely on you. >> i had. >> i had a radio show at the national press club on climate change. in my radio show i deal with a
7:55 am
lot of ngos that don't trust the government and when they see the government partnering in the private sector, they get really nervous. ideally there was a chamber of commerce that hired a number of offensive cyber firms to engage in the cyber attacks against some of these ngos. i don't know that the department of justice or anyone else in the federal investigated or prosecuted that. i'm not sure on the liability repercussions. and it is really thick among the community working on the climate change into a lot of other things when we consider the full weight of the government and the private sector standing on our backs. what i would like to know if have you considered that the federal government might reassure all americans that it's working to protect everyone and not protecting members of the chamber of commerce when things like this happen.
7:56 am
>> at its private consumers, companies or nonprofit organizations, and in fact we have seen too often got they are targeted on the cyber attack b-day by the nationstate adversaries or criminal groups. and so i would encourage those who are -- who suffered a breach to come and work with law enforcement as the crying as they would have in any other circumstance. and we would be happy to work and are working on cases like that all across the country >> other questions on today's topic if you would please
7:57 am
>> politico cybersecurity. you've spoken in the past on the indictment of the chinese officials and all of the government approach. the problem in those remarks it was promised that this is not the end, this is a new normal. what are the type of circumstances that will lead to more aggressive movements by the government against the nationstate what types of things are sort of the threshold to see more of the tools being deployed? i think for too long when it came to the nationstate actors there was a lot of good work being done on the intelligent side of the house to find out what was going on. but for too long on the criminal side of the house, we were not working day in and day out to see whether or not it involved the nationstate actor that we could bring appropriate criminal charges and that's why in 2012 we started the national security
7:58 am
network and how the prosecutors trained all throughout the country on both have a handle on the one hand and the complexities of the electronic evidence and on the other hand how to deal with the sensitive choices and methods and expertise the prosecutors have been bringing to bear. now that people are looking at the cases in that manner and the fbi is regularly sharing intelligence with the specially trained prosecutors, the case will be brought and we proved that was the case by bringing the case against the members of the liberation army 6198 earlier this spring. the prosecutors and agents continue to work and we will see additional cases because the crime continues of stealing the economic information. at the same time, we need to look with our partners and our developing sentience from the department of treasury, commerce
7:59 am
and to the designations bringing suit to make sure that we leave no tools in the toolbox grade we bring everything to bear to increase the cost so at the end of the day those that have information from hard-working american businesses and customers decided that it isn't worth the risk of getting caught >> john with american express thank you for coming today. can you shed a little bit of light on the impact of some of the latest takedowns? and in partnership with some of the private private sector community to affect that? >> once again, that is an example of a takedown where several things were happening at once. the unique action inside the united states in order to disrupt the command-and-control servers that keep them from
8:00 am
sending the commands. you need the cooperation of the partners because many of the servers and the infrastructure so that they could simultaneously take action and to the extent that we could and we did, you need to find attribution of the bad actors responsible working with the countries to bring them to justice. that collaborative action that took place in the u.s. government, foreign government abroad into the private sector was able to the thousands of computers that had the malware on them and bringing to the individuals to justice. that is the type of action that cannot take place without the help of the private sector into the private private sector was essential in the speed with which you are able to remediate some of the damage to some people's computers and that is what i think bob anderson referred to in the
8:01 am
... can you go over some of the challenges that you have with the obtained digital evidence? i know in the metropolitan area there are a few organizations with the exception of the local fbi agency that has the ability to gather the information that is to maintain it and keep it secure. so what are some of the challenges that you have in the country? >> it is a challenge. we've proven to that they can't. there are cases where we can
8:02 am
have attribution and we know that person involved. with that said it's a difficult case in part becaus that's trudeau domestically let alone the challenges of gathering electronic evidenceof outside reach of our orders which requires close cooperation with our foreign partners. and i think we've come a long way in that regard and proven we can bring some of these cases but we need to go further and need to continue to develop relationships with our foreign partners to make sure they have parallel statutes on their book to allow us to lawfully acquire electronic evidence and further criminal investigation. >> thank you, john for coming here today and we appreciate the work of your team. >> thank you. i look forward to workinge closely with both the chamber of commerce in your future as and
8:03 am
your members as we work together on this joint threat. thank you. >> thank you. [applause] >> coming up today on c-span2, virginia senator tim kaine will discuss the constitutional role of congress and the executive branch, military intervention as it pertains to combating isis. it will be live from the wilson center at 10:00 a.m. eastern. then later on our companion network c-span 3 house and -- health and human services secretary sylvia burr well talks about the government he's ongoing response to the ebola attack in west africa. jeh johnson and tom frieden and dr. anthony fauci from national institutes of allergy and infectious diseases life at 2:00 p.m. eastern.
8:04 am
on thursday, dennis hastert, the longest serving republican speaker, will join us on "washington journal" to discuss the 2014 election results and how republicans should govern in the 114th congress. you can see the former speaker live at 8:30 a.m. eastern on companion network c-span. >> the c-span cities tour takes booktv and american history tv on the road traveling to u.s. cities to learn about their history and literary life. this weekend we partnered with charter communications for a visit to madison, wisconsin. >> there is for everyone, the beauty is large, it is a glorious service, this service for the country. the call comes to every citizen. it is an unending struggle to make and keep government
8:05 am
representative. >> bob la follette is probably the most important political figure in wisconsin history and one of the most important in the history of the 20th century in the united states. he was a reforming governor. he defined what progressivism is. he was one of the first to use the term progressive to self-identify. he was a united states senator who was recognized by his peers in the 1950s as one of the five greatest senators in american history. he was an opponent of world war i, stood his ground, advocating for free speech. above all, bob la follow let was about the people. in the era after the civil war america changed radically from a nation of small farmers and small producers and small manufacturers and by the late 1870s, 1880s, 1890s, we
8:06 am
had concentrations of wealth, we had growing inequality and we had concern about the influence of money in government. so the spent the later part of the 1890s, giving speeches all over wisconsin. if you want ad speaker for your club or your group, bob la laafollette went to every event you could imagine and built a reputation for himself. by 1900 he was ready to run for governor advocatings on behalf of the people and he had two issues. one, the direct primary. no more selecting candidates in convention. two, stop the interests, specifically the railroads. >> watch all of our events from madison saturday at noon eastern on c-span2's booktv and sunday afternoon at 2:00 on american history tv on c-span3.
8:07 am
>> now to senate intelligence committee chair dianne feinstein and vice-chair saxby chambliss. they discuss ongoing efforts in congress to draft and pass the cybersecurity information security act. their remarks from this year's cybersecurity summit are 35 minutes. >> can everyone hear me? welcome to the chamber's third annual cybersecurity summit. thank you both for joining us. i thought i would introduce yourself and talk about the bill and prospects and take questions from the audience if there is time. let me introduce our two speakers. we're so glad to have you here. as you all know california's senior senator dianne feinstein built a reputation as
8:08 am
independent voice working with democrats and republicans. love to hear that these days to find some common sense solutions to the problems facing california and the nation. since her election to the senate in '92, senator feinstein has worked in a bipartisan way to build a significant record of legislative accomplishments which include helping to strengthen the nation's securith both here and abroad, combating crime and violence, battling cancer and protecting natural resources again in california and across the country, in the 11th congress, under senator feinstein assumed senate select committee on intelligence where she oversees the nation's 16 intelligence agencies. i should point out she was thes, first female senator to holdsho that position. it is also my pleasure to introduce the honorable saxby chambliss. in 2008, saxby chambliss was elected to serve a second term in the united states senate. georgia trend magazine which consistently named him as one of its most influential georgians,
8:09 am
calls him, highly visible well-respected presence in washington. he has a reputation as affable but straight talking lawmaker. georgia trend named senator chambliss as its georgian of the year. leadership and experience on homeland security and intelligence matters during his tenure in the house of representatives earned him an appointment to the senate select committee on intelligence where he has served as vice chairman since 2011.comm he is a strong advocate for improved information-sharing and human intelligence gathering capabilities and that is a topic we're going to get into here. again thank you both for joining us. i was just sharing with the senator feinstein our, what you all have at your desk are propaganda if you will. we're big fans of cyber information sharing act. why the two of you decided to put this forward and why is itt needed and what does it do?
8:10 am
>> let me begin with, ann, thank you. the chamber is ready to support the chamber if i can speak for the vice chairman and myself to the whole committee. much on personal level i want to say to the gentleman on my left, what a great pleasure it has been to work with you.e' we put a number of intelligence authorization bills, fisa bill, cyber bill. ladies and gentlemen, one of the things i have learned certainly in 40 years of public life, in a two-party system if you want to get something done, compromise is not a bad word. so as we sit down and i try to share everything that i knowhi with senator chambliss, either i have to give or he has to give or we find a mutual road to go down. and we have found, i believe he will second this, that to be a very productive way of producing for the people of this country.
8:11 am
i remember when we had mr. mendia, of mend dent before our intelligence committee and he gave us a classified briefing what wasiv happening in the unia states with respect to cyber attacks. then the director of the fbi said, you know, there is onei thing that is common about this. 90% either know they have been attacked. the other 10% may not but they have been attacked. and that virtually almost every big american company today has beenly attacked. been attacked. the question is how serious and by whom and how much. and i think it's fair to estimate that the cost to the economy into business is estimated in the trillions of dollars. so it is very serious. we started on this with a
8:12 am
different bill, and we put that bill together. it went to the floor and it got 56 votes. we needed 60 votes. it only got one republican vote. so the key was to go back and do a bipartisan bill, and that's essentially what the vice-chairman and i have done, ann. we put together a bipartisan bill. it was put out by the committee by a vote of 12-3, and it awaits action on the floor of the senate. there are a couple of groups that don't like this or don't like that. we've been prepared and look forward to receiving their comments. the staff has received and. david is here today, our staff director. and jack from the minority side as well, and so we are open but we do not want to produce
8:13 am
something that cannot get a vote. what we've done is an entire voluntary system. it essentially moves to let companies do three things. to monitor their networks, to identify cyber indicators, to use countermeasures to protect against cyber threats, and third, to share and receive information with each other and with federal, state and local governments. companies who use the authority to monitor and share information are provided full liability protection for doing so. as long as they do so with, within the bills parameters. and those parameters are pretty clearly spelled out. the bill has a number of protections to make sure personal information is protected, and to make sure that government doesn't use
8:14 am
information for any purpose other than cybersecurity. and, finally, the bill requires the director of national intelligence to put in place a process of sharing information on cyber threats in the governments hands with the private sector. so we believe we have a good bill. we are thankful for the support that your organization is provided. we understand the financial services network supports us, the telecom supports it. but let me say one thing. we will not have a bill. i tried to get this bill on the floor and so far have not had success. until communities like yourself take a good look at it, agree with it, come forward and say do it, and do it now, the stakes are too big to let this language any longer. >> thank you. senator chambliss. >> well, again, ann, thank you
8:15 am
very much for having us here today. and thanks to the chamber on two accounts. number one, what i found as i've been around the country, literally around the world, but around the country and around my state, and i talk about cybersecurity, until six or eight months ago as i was under beaudry club and i said the most important we've got to deal with cybersecurity, everybody eyes glaze over. this is not what i as a lawyer referred to as -- you can't see what's happening out there. you can't really feel it, except that people are starting to understand that this is serious, that it has huge financial consequences, not just to the economy of the united states but to me personally. so what you are doing today is helping educate people about this, and i am very thankful for that. secondly, the support of the chamber is key. i ran into the former dni just
8:16 am
last thursday, we had a cybersecurity conference in a gust of georgia and former director mike mcconnell was there and we were talking about the bill. and he said where does the chamber stand? i said, the chamber is absolute fully behind us. he said great, i think your chances just improved significantly. so to all of you, thanks for your willingness to let us have a chance to dialogue with you on this. i want to echo what diane said, number one, you would think this a mutual admiration society, and it is. she and i had a great working relationship, and it's proved that democrats and republicans can check their political hats at the door every now and then and do it in the best interest of the country. diane and i've done that on a number of issues when it comes to national security. and i am so glad to have her in the foxhole when we're fighting these battles, whether it's in the airwaves or on the ground
8:17 am
come and she's been a great leader and a great friend in the process. as diane said we had a cybersecurity bill on the floor of the senate a couple of years ago. they were -- there were competing factions that didn't allow the bill to generate more than 56 votes, and what she and i did after that, we were involved in the process but actually we were kind of fighting each other on the bill. but we both knew the importance of the issue. so when that bill went down she and i sat down together and said look, this is foolish. we know how important the issue is, we've got to come up with a bill that the bipartisan that you and i can agree on and that we can get the majority of our committee to agree on. it's not easy, as she said come in these times on capitol hill seeing bipartisanship that is somewhat of an anomaly. but diane and i slugged it out. we did make the right kind of
8:18 am
compromises on positions without compromising our principles to come together on this bill. it received a 12-3 will coming out of committee. you do see many 12-3 committees coming out of any committee on the senate side these days. that was going into the election too, by the way. what my priorities in this bill war was never want to make sure that we had a bill that was going to provide jon and i, our other law enforcement and our government agencies the tools that they need to make sure that they are able to detect intrusions on to any system be a public or private, and to make sure that they have the ability to share that information both from a public to private standpoint as well as private to private standpoint. because if we don't do that we are not publishing anything. and we wanted to do that in a voluntary system.
8:19 am
if we banned it to the private sector you will do this -- if we mandate it to the private sector there will always be pushback from the private sector. and with the level of trust that exists today between the public sector and the private sector, we knew that our chances of success long-term were not going to be very good. so what we did was go to your companies, go to the private sector and said okay, we want your ideas. we want you to start, help us start on the ground floor and let's build this building called a cybersecurity bill. and we did that and we've been able to incorporate good ideas from the public sector, good ideas from the private sector, and i think we accomplished what we set out to do from a voluntary system. secondly, it's imperative that we incorporate strong privacy measures in this bill. we simply can't allow someone's
8:20 am
personal information to be shared on a wholesale basis. we agreed on that and we think we've come up with good language to ensure that that does not happen. thirdly, it's important that we put language in this bill that allows flexibility. this is not a short-term project from our standpoint. this is long-term, and with the way that the technology changes in the world of cyber on virtually an hourly basis, not a daily basis, we want to make sure that 10 years from now that there is flexibly in legislative language that allows the public sector and the private sector to make industry changes to adjust to what technology comes forward in the intervening time frame. and then lastly, ma i'll say it again i know the key aspect of this if this is going to work is to ensure that there is
8:21 am
liability protection given to the private sector. we think we've done that in the right way, and we think that the private sector, those folks who are involved in it as well as i hope as dianne said, i hope all of you will read the bill, i think we need to you will be like the folks in the private sector that we have involved in it. you will have some comfort in knowing that in the corporate boardroom people are going to say wow mike, if we share this information with our competitor, we are going to have protection and we're going to be able to do this in a way that lets us put the right kind of countermeasures in place without the fear of liability from outside sources. so i'm pleased about this bill. i'm obviously, diane has a lot more in, a lot more influence on senator reid than i do, but i have implored him that if there is one piece of legislation that needs to be concluded between now and the end of the year,t ne
8:22 am
this is it.th if we don't do it this year, i fear that it will be at least another year before it rises back to the level that it is now and if we wait another year, we are really risking the economy of the united states in my opinion. so i'm very hopeful that when we get back here in a couple of weeks that senator reid is going to agree with us. we'll have this bill on the floor.eid we'll slug it out. diane and i are joined at the hip on this we're going to be together and if somebody has ana amendment makes the bill better, we're okay. if it's a bill that tries to send a political message of some sort we'll work to beat it back. but i do hope we get the bill on the floor and we see the senate work in the way that the senate historically worked to provide good legislation. thank you.ked >> thank you, senator. i think you're saying all the things we like to hear.
8:23 am
liability protection, flexibility. i will tell you that admiral rogers was here for lunch, the cyber commander and nsa director he is very big on information sharing bill as well. he doesn't want personal identifiable information. he doesn't want to get into the privacy issues. so i think that information should have sharing we talked about earlier, this is something we've talked about for a decade or so now, i have to ask to put you on the spot what are our chances with this bill in the lame-duck session? do you think we have a chance? >> well, i do think we have a ha chance. i think it b depend on people in this room and a lot of rooms like it throughout america. i look back three years and both saks biand i sat down with the shame per then. there were three or four big meetings. i really understand what the concerns were.we
8:24 am
i think those have been remedied in this bill. this bill is not the sun, the moon and the stars. it is not a regulatory how-to. it's a voluntary bill. it allows the voluntary sharingo of information with each other e or theac government with immuniy from lawsuits essentially. and i think that's critical. it is a first step bill. it is the first thing we need to do. nowt here's my worry. saxby, if we don't get this bill passed now, with you're retiring i think you're right, we go back to the year dot. we will have all the arguments we already have and disposed of but with a new cast of characters and, companies are going to continue to get hit. so you and i, because of what we see, share a big sense of alacrity that we need to get this thing done. we really need others to stand up to say yes, we're in supporto
8:25 am
with this.e i we opposed the last bill.i we're for this bill. let's get to it. let's pass it. >> one other thing too i think, ann, that gives us the potential to get this bill done, the white house came out with their executive order virtually ayear ago. i was frankly very apprehensive when they said they were going to issue an executive order because i didn't know what it woos going to say even thoughsa they had talked with both of us in advance but frankly the lay of the land that was put forward in that executive order is very positive in concert about what we've done in our bill. and some standards are being set by nist and nist incorporated the private sector into their discussions. that is good and there are other things being done there lays tho groundwork to some of, solving some of the objections that were in the lieberman-collins bill and we focused on information
8:26 am
sharing which is the guts of it obviously. if you don't have information sharing it's not going to work but i think that the white house need to be commended for laying out their the executive order the way they have and i'veth commended nist publicly and i will continue to do about the job they're doing. >> we at the chamber certainly agree with you. we had michael daniel here, the white house cyber coordinator this morning. when he percent came out with the executive order he was here at chamber a couple of times which is unheard of to shop around af executive order like. that. i think the extent he went to get not buy-in but situational awareness from the private sector on the executive order was very helpful.pr i will tell you that the nist cyber framework is something that the chamber fully supports. we're doing a road tour around the country, socializing it with small and medium-sized companies. we agree with you, sir, the cyber framework and the executive order was a step in
8:27 am
the right direction. >> i think,n ann, if i may, i think if we can get this up on the floor, i believe we can pass it. you can't pass a bill that isn't bipartisan and this one is and i think we can. both saxby and i worked closely with mike rogers, the houseir chair, dutch ruppersberger the vice chairman and mike has said, we're red did he to go. if you get a bill, we'll sit down and we'll get a conference and get it done right away. so, you really don't want to wait until the legislative bodies change on this because then you've got to go back to year dot and start all overa again. and that means inordinant delay. so i really hope that we can ge people to stand up, saxby, and ann, and come forward and say you've got to do this and do it now. we're happy to make the bill language available. i think it is already.
8:28 am
our staffs are here. we're happy to sit down with you or we t can as well but we realy need help to get it passed. >> i will just say, your staffs have been great to work with. we appreciate that. >> thank you. >> we'll take a few questions from the floor. and we are having a very hard time seeing you out there with these bright lights. please wait for a microphone to come to you. try to get the chamber members first if we may.mber >> hi, cory bennett with the hill. you discussed a lot of the ways that it will get the bill passed. hi, over here. that could get the bill passed in the lame-duck session. what perhaps are some of the things that might be a stumbling block and might prevent it from getting passed in this upcoming session? >> well, let me be candid. there were essentially two categories of people that had concerns. one were trialwe lawyers. we think we worked that aren't
8:29 am
and there aren't problems there now, cross my fingers. the other is thear privacy community, which is a big, broad community. and i think we made another six changes that we've agreed to. but you know, it is always more, more, more. we, i think, if the bill comes to the floor and obviously we have a set time and number of amendments. we're willing to take amendments and do them on the floor so tha shouldn't stop it but those are really the two groups that we have concerns about and i think one of them will be settled and with respect to the privacy community, you know, what i've heard, well we wanted the old bill. well the old bill got exactly one republican vote on the floor. that is not a good message if you want to pass something. so, you have to find a way toa
8:30 am
work together to get it done. and we believe we've done that. >> that wasn't my vote. this one will get my vote. >> other questions? comments? over here. >> hi, chris costello with inside cybersecurity. this morning coordinator michael daniel is talking about how he is working very closely with you on legislation. where does the white house stant on the bill today and do you think they're supportive enough. >> i can quickly speak as the chairman. what we have done is kept the white house advised. the staff has done this. they sat down, they worked with the white house and i think, unless there is something that's new that i don't know about, there's been a relatively close working relationship. you want to comment on that? >> and this is, it has not been
8:31 am
a one-sided conversation. i've had direct conversation with the president, even rode with him in a golf cart one day and we talked about it in the golf cart as we were trying to focus on our game, we were more importantly focused on cybersecurity that day. >> i'm not so sure. >> but we have had any number of conversations with the white house on it. and i'm not about to speak for them but, we have taken their original concerns into consideration and we know that the president's got to sign whatever bill comes out and, and, we're going to continue to dialogue. and i'm hoping that, by the time we get back and assuming senator reid says yes, this is something we need to do, that thee white house will come out to be a strong advocate with us. is it a perfect bill? i mean all of us know, particularly those that have been around the senate for a
8:32 am
long time, nothing's ever perfect. that is the way you get votes and the way you get things done is to craft something that while it can always be improved and as diane said, particularly in an era like this, this is the first step. who knows where we're going to be from a year from now. if we do nothing, shame on us.an i know the white house feelst strongly about that aspect of it. >> for those of you who may not be so in the weeds as we arebe here at chamber on the bill we're talking about 2588. the cisa bill, cybersecurity01 sharing information act of 2014m this still represents a workabls compromise among many stakeholders. it protects civil liberties. preserves the role of civilians and intelligence agencies and incentivizes sharing with narrow liability protections. it would also help businesses
8:33 am
achieve timely and actionable situational awareness. what we're talking about information sharing in real time is what we need. i want to point out you have this in your folders. we have 16 organizations along with the u.s . claim before commerce in support of this byof so very supportive. we have a question over here, matthew. >> ann, thank you. matthew with the chamber. senators i want to thank you very much your work on the bill and work of your staff members who have done a very, very good job in terms of working with us on aspects of the bill. one thing that might not be well-known, the bill does mandate businesses sharing information with peers and government have to remove pii. personal information.-- maybe you can hear me better. they have to remove pii. the bill says you must remove pii. that is one of the elements of the bill we didn't agree with because we thought small and mid-sized businesses that aren't sophisticated in doing removal,
8:34 am
instead of sharing i will sit this one out. we recognize that is a big issue and that one element of the bils that we've found it necessary to compromise around. you might be interested to know that we have been meeting with many, many offices in the senate to try to educate them about the bill. it is oury number one cyber legislative priority. i want to just thank you and say yes, if you do have a chance, we have an opportunity to pass the bill on the floor, please urgell senator reid to put it on the floor. we think the bill deserves at a shot at a vote. thank you. >> thank you. >> one thing we did to address early on privacy concerns was with regard to the definition of cyber indicator threats. and we narrowed the definitione of it and the focus is on really the serious issue of cyber threats. it is not able to be expanded
8:35 am
from a privacy standpoint into non-cyber issues, which io understand from a privacy standpoint. so, that is, that was another big compromise that, that we came together on and diane whipped me again on it. but it's, that is the way things get done and, i empathize with the rationale and reasoning behind it. that's why we were able to make changes that we were able to make on both sides.ake and, thank you for your comments and your input. when the chamber has input, you speak for a myriad of sectors of the economy as well as individual businesses.r and that's critically important to us. >> thank you. >> thank you. >> thank you very much for that. he gave you a little inside information and just want to say thank you. didn't have to do that. appreciate it.e to >> any last questions, comments?
8:36 am
i can't, one back there. >> to what, to what extent is the, the debate of surveillance forum in the lame duck going to play into the ability to pass this bill? i heard both that surveillance reform is necessary to this bill but also could be a death knell for this bill because they don't want them to get sort of inextricably linked. how do you guys plan to navigate that innk the lame duck. >> does surveillance refor have to pass first. >> i will kick that off. you're talking about the fisa reform bill and how does it relate to the potential for discussion and debate on this t bill? the thing about fisa reform is that, we don't need it between now and end of the year. we've got a bill. that bill expires the middle of next year. we don't know who will control
8:37 am
congress but, this has been a vigorous debate as to the changes that need to be made int fisa. i think there is a lot of accord on that. but that is not something that urgently needs to be done between now and end of the yeare simply because we got laws onws the book today that deal with that issue. cyber we don't. there should not be any connection between the two. i certainly hope that is not the debate we get into or, not the position that we get into when we get back into session. >> well, leton me say this. you've hit on something because i have heard this in round-about ways. that fisa reform has to come first. and as i understand the current status, the house has passed a bill which was very difficult for the house to pass a bill. we have passed a bill on certain
8:38 am
fisa reforms that went out of our committee i think 11-4. the president has a distinct view on this and that is, that he supports the house-passed bill and senator leahy, the chairman of the judiciary committee, is putting together a fisa bill that would essentially echo the house bill with a few changes in it. one having to do with the public advocate coot/amicus and along with a couple of other things. here is the big problem and the problem is, how do we get something done there? the vice chairman has quite correctly, well, this doesn't really need to come up until next year but that's a long time to wait and my concern is, that
8:39 am
we do need to do something there. i don't think it is necessary to put the fisa bill first. red did he to go. it could pass the senate. i think at the very least it g would show that we can pass something. we can get it conferenced. we can get it back before the senate for a final vote, and we can get it to the president. so we can do this with not a great deal of debate, probably with a joint rule between the two side there be a couple of hours for debate and limited number of amendments and get itg passed and conference it so we can get something done.n i very much hope that willha happent. >> we hope so too. we have time for one more question. anyone out there? there is one here in the middle. >> hi, my nameis jason from
8:40 am
senator mark kirk's office and i wanted to ask you, senator chambliss, who will hold thech banner for information sharing in next congress for republicans? who has the institutional knowledge of working with the chamber and also -- [inaudible] >> well, most senior person in line to me is senator burr. he will be the next republican to be chairman or vice chairman. behind him is senator rich, senator coates, senator rubio, senator collins. we're losing senator. there is lot of experience coming back and i'm confident whoever it is will work diligently with diane to do
8:41 am
something but as we both alluded to earlier we have lots of members off the intel committee coming back or coming in and trying to educate those folks about the issue itself. plus, there are a lot of members that simply look to diane, to me, and other senior members the committee to basically have some security in from the standpoint of knowing a complex issue, having worked on a complex a issue. they're willing to go with us. we've got a lot of folks coming in that will not be in thath position. so that's why i think, and obviously diane agrees with me, that it is going to be a long time if we don't get it done by the end of this year. hope that answers your question. >> thank you. and i think that is one of then. things that we want to work wit you on, that educatings of the new members, to the committee and we're happy to continue to
8:42 am
do that. thank you both for coming here today. thank you for all the work you've done on the bill.h a terrific bill. we enjoy working with you and your staff, both of you, thank you very much. the chamber will continue to push for the bill. thanks. >> thanks. [applause] >> coming up today on c-span2, virginia senator tim kaine will discuss the constitutional role of congress and the executive branch military intervention as it pertains to combating isis. it will be live from the wilson center at 10:00 a.m. eastern. then later on our companion network c-span3 house health and human services secretary sylvia burwell testifies about the government's ongoing response to protect americans from the ebola outbreak in west africa.
8:43 am
also appearing before the senate appropriations committee, dhs secretary jeh johnson, centers for disease control director, dr. tom frieden and dr. anthony fauci of the national institutes of allergy and infectious diseases. this is live at 2:00 p.m. eastern. >> the c-span cities tour takes booktv and american history tv on the road traveling to u.s. cities to learn about their history and literary life. this weekend we partnered with charter communications for a visit to madison, which is. wisconsin. >> there is for everyone the field is large. it's a glorious service. this service for the country. the call comes to every citizen. it is an unending struggle, to make and keep government representative. >> bob la follette is probably the most important political
8:44 am
figure in wisconsin history and one of the most important in the history of the 20th century in the united states. he was a reforming governor. he defined what progressivism is. he was one of the first to use the term progressive to self-identify. he was a united states senator who was recognized by his peers in the 1950s as one of the five greatest senators in american history. he was an opponent of world war i. stood his ground advocating for free speech. above all, bob la follette was about the people. in the era of a the civil war america changed radically from a nation of small farmers and small producers and small manufacturers, and by the late 1870s, 1880s, 189 0s, we had concentrations of wealth, we
8:45 am
had growing inequality and we had concern about the influence of money in government. so he spent the later part of the 1890s giving speeches all over wisconsin. if you wanted a speaker for your club or your group bob la follette would give a speech. he went to county fairs. he went to every kind of event that you could imagine and built a reputation for himself. by 1900 he was ready to run for governor, advocating on behalf of the people. and he had two issues. one, the direct primary. no more selecting candidates in convention. two, stop the interests. specifically the railroads. >> watch all of our events from madison, saturday at noon eastern on c-span2's booktv. an sunday afternoon at 2:00 on american history tv on c-span3.
8:46 am
the 2015 c-span studentcam video competition is underway open to all middle and high school students to create a five to seven-minute documentary on the theme, the three branches and you. showing how a policy, law or action by the executive, legislative or judicial branch of the federal government has affected you or your community. there are 200 cash prizes for students and teachers totaling $100,000s. for a is laugh rules, how to get started, go to studentcam.org. >> now for the conclusion of the u.s. chamber of commerce cybersecurity summit with a special on information-sharing and cooperation between private sector industries, cyber security threats. this is an hour 15 minutes. is. >> again, welcome back. this is our final panel of the day for the chamber's cybersecurity summit. again this is our third annual one and thank you for coming to stick with us. this is a great panel.
8:47 am
we wanted to get a cross sector discussion going. as many of you know that follow the cyber framework closely there is a workshop, actually, more than a workshop, it's a big conference in tampa a lot of folks are flying down for this afternoon. thank you all, gentlemen, sticking around to be on this panel. i really appreciate your expertise and support. i want to introduce, chris furlow. he is the president of ridge global. both he and governor ridge are terrific friend and partners. tom ridge, first secretary of the homeland security department, also a governor. he is current chamber of the chamber's national security task force. chris will moderate our next panel on sector cooperation, interdependencies an challenges. thanks, chris. >> ann, thank you. i think, some congratulations need to go to ann and to the chamber team here today. if you think about it is pretty remarkable. we had the nation's almost entire cyber leadership here in the room today, that we had the
8:48 am
opportunity to engage with. it has been a great day. so thanks very much. i'm not sure always great to be the last panel of the day after lunch and when folks are ready to go home, hopefully we hope to make it interesting for you. we talked about a lot of macro level issues throughout the morning and afternoon. we really hope to get a little more granular in terms of how the various sectors are dealing with cybersecurity challenges, cyber resill yen he is. at a much more granular level and there we're very fortunate we have a group of folks who are from what many people would call the most critical of the critical infrastructure sectors. those sectors which drive most of the concern whether you look at our law enforcement community, intelligence community and certainly from i.t. professionals. now it is becoming a lot more of an issue for the c-suite across the business community.
8:49 am
folks, they get the threat. they understand it. now we need to talk about very much as john carlin said, admiral rogers said, how do we figure out how to do something about these challenges? today we hope to get into a discussion about what is being done already today and where we can go into the future. joining me on today's panel, we have bill erny, doug johnson, chris boyer, and dennis gilbert. and what i'd like to do to kind of start off the discussion today is have each of you briefly explain kind of your roles and responsibilities because i think it will help us set the stage in terms of types of issues you're working and it will help guide our conversation as we kick things off. with that, bill, toss it to you. >> sure, hi, i'm bill erny here with the american chemical council here in washington.
8:50 am
i'm senior director with the regulatory affairs department. my primary role with acc is to advocate on behalf of the industry. cybersecurity is one of the issues under my advocacy portfolio but i also play an internal role within acc where i look across the organization and i insure that we've got coordinated efforts within acc and to make sure we're responding to our members needs. so in that regard my interface with a lot of different elements within acc and including our chemic program. some may be familiar with that. that is our group of cio members that engage directly on cybersecurity issues. >> i'm doug johnson with american bankers association. senior vice president of payments and cybersecurity policy. and so i run all of the various
8:51 am
committees that are within aba that are across those platforms either from a cybersecurity business resiliency or physical security standpoint. and also in charge of the regulatory relationships and legislative relationships across those platforms as well. i'm also served as the vice chairman of financial services sector coordinating council and on the board of our fsisac. there is lot of interaction with a lot of other trade associations with the financial sector in those two capacities. of course we're very much driving all of our membership to be part of information sharing apparatus we have through the fs-isac. >> my name is chris boy year, assistant vice president of global public policy with at&t. my role with at&t is largely serve as interface between our network security office and network operations teams and public policy issues in
8:52 am
washington. i serve as representative of the company before congress, before white house, before variety of agencies. big chunk what i've done over last year i spent working on nist cybersecurity framework. i attended all six workshops and active in development of framework and served in variety of capacities of fcc security an reliability, inother operability council and worked on variety of issues. i work on the knit internet security advisory boards. i spend a lot of time doing various activities on cybersecurity technical issues throughout d.c. >> good afternoon, i'm dennis gilbert. i'm the director of information and cybersecurity at excelon corporation. for those not familiar with excelon, we're one of the largest energy and utility companies into the united states. i report directly to our chief security officer who is responsible for physical security and cybersecurity within our 25,000 employee corporation. within that realm, i'm responsible for both the information technology environment as well as the
8:53 am
operational technology aspects of the cyber assets. we have within our team a complete cybersecurity operations center that includes monitoring intel, digital forensics and incident response team. we also have a architecture engineering, security engineering team and vulnerability analysis and management team. we have a complete suite of in-house capabilities in addition to some of the things we contract for. >> denany, thanks very much. well, again the title of this panel discussion is, strengthening cybersecurity together. sector cooperation, interdependencies and challenges. i think it may be very wise to start the discussion first on interdependencies. what are the things that off then create some channels, some challenges so we move on to discuss how we're arriving at some solutions today. dennis, i think i will start with you, from the electric sector standpoint, yes, you did
8:54 am
see it coming, because the grid in particular is where there is much concern. so many of the other sectors are completely reliant upon the grid sector. do you think, particularly given with we see on the hill where we can't get a bill, even though a lot of public officials we heard from today let's get a bill through, we just heard senator feinstein, senator chambliss, intel committee chair and vice-chair say we need to get a bill. do you think there is enough of a understanding among our policy leadership in terms of interdepend den stays exist, particularly as we look at things like internet of things? everything has to be driven by your sector, it is all plugged in one way or another. >> i have to admit sometimes people take for granted when they plug in, turn on the heat or anything else that the power is there. it is ubiquitous and don't understand the second and third order level of effects sometime and we're subjected to cyber
8:55 am
attacks as well as banking industry and telecommunications industry and retail companies. i think that is -- that tell you the truth it is a little bit of a challenge in our sector. we have a complete suite of challenges we have to face. not just to our operational assets but entire suite within the i.t. network of, you know, we have to look at actor, what they're trying to do, the threat actor and what their motivations are. whether getting into our billing systems for financial gain. whether it's trying to, you know, steal our intellectual property, to improve their capabilities overseas. so our personal information. so i mean, in that regard we have, interdependencies with our other sector, critical infrastructure sector, information sharing. from a sharing perspective, from what i understand on the hill i see it now, i've been with excelon four months after spending 30 years with the department of defense, is at one level we get a lot of
8:56 am
information. i mean we get it from the different isafs, from the fbi, from a number of different sources. looking from what admiral rogers said, looking from all the information that comes in. two elements i think we need to continue to focus on is timeliness. if i had my wish-list out there it would be one definitive single source that would actually bring that information in. a lot of times we get it in and it will trickle down every few weeks and we have to reconcile the data, look for differences. at the same time means i have one or two analysts looking at information coming in, versus actually looking on our networks to make sure we have everything patch covered and there is no threat on our networks. >> chris boyer from a communication sector standpoint, we as a nation have gotten pretty good responding to natural disasters, having the ability to be resilient within the sector, within the, putting towers back up as the kise may be.
8:57 am
rolling in those types of things in relation to a natural disaster. but are we prepared for a potential cyberattack where it may be a long time before the power grid, for example, goes back up to enable, what you do and at the -- [inaudible] >> from at&t perspective we -- [inaudible] >> response plan to deal with major cyber incidents inside of a company as part of our standard course of business. you con never say there is anything perfect. we acknowledge there is potential for cyber attacks. we have plans to deal with anything that might come up. from a sector dependency perspective i think it is pretty common knowledge there are interdependencies between the sectors and energy comes and comecoms and financial services andcoms and i.t. we talk about that quite a bit at sector coordinating council. we have a lot of discussions
8:58 am
about sector interdependencies. we recently had a series of meetings with the energy sector. in fact a couple weeks ago, i actually spoke at energy sector coordinating council meeting an we've done work with doe how two sectors work together to be better prepared for issues, personal and physical. there are keeping things up and running. how can we better work together to deal with those. so i think those conversations are happening. we met with the financial services sector. we had b-to-b meetings. i think it is pretty well understood within the industry is needs to be dealt with and there is a lot of active conversations on industry side to deal with those issues. >> doug, there has been a lost focus on the financial services sector as of late due to some high-profile breaches et cetera. but taking a quickstep back, you know, when the financial services sector is hit, whether a banking institution, what have you, this is not just about an
8:59 am
atm machine not working. talking about some of interdependencies, when attacks is made on financial services entitity, what that means for other services and sectors. >> it means something to every citizen essentially because we're essentially the keeper of those accounts and i think that's one of reasons why in concert with other sectors that we take cybersecurity so seriously. unfortunately, or fortunately we've been tested, quite a bit, over the course of the last few years. and i think one of the things that that has demonstrated is that the information-sharing environment that we have is pretty darn effective. i think you saw a lot of different media reports, for instance, about the most recent breach of jpmorgan chase. i think one of the reasons why essentially, that went no further, and the media actually had to retract statements saying it did go further and did create essentially breaches of other
9:00 am
institutions is because the bank that was actually breached was very good at immediately sharing the vectors associated with that breach to other institutions. and think that's what is so vitally important is that every sector has that kind of an apparatus. so i think that's what we're going to see more of going forward is more maturity within other sectors that are also experiencing impacts. regardless where the breach occurs, it will impact financial services. it will impact financial services to the extent of availability. it is going to impact financial services to the extent that there is for instance a retail breach which specifically impacts a financial services customer account. and so, i think that is going back to my initial statements that is what we recognize is first and foremost is really having that environment protected. . .
9:01 am
that you never even think about. and i think testiness where you are really able to accomplish some great learning. and that is one saying i think you are going to see in the course of the next year a similar testing across that yours has opposed the way we tend to do it as an silos, were
9:02 am
electric silos, where electric core financial services or tell a combo essentially do testing in their own environment. that is the cross sector to the effect is. >> just have a conversation does far, we have seen the effects of the interdependency we are opposed to you. let's talk about your sector in particular. let's talk about your supply chain, the folks within your supply chain of whom you are dependent and how that plays out into the broader discussion here. >> yeah, absolutely. the chemical supply chain we consider to be an integral part of what please do the business of chemistry. so for instance, within the acc, we have partnership groups that address issues like transportation transportation accountable the of warehousing and storage and distribution. it is funny when i typed to people about the chemical effect to her and i don't explain
9:03 am
exactly why we are really talking about here, different people have different ideas. but i guess the point to take home as we are unique in a lot of ways. we are unique in a lot of ways because of the diversity of our sector. the chemical effect or is that one particular type of product or service that we are providing. so while we may not be sort of the major interdependency, we touch a lot of people in a lot of different ways as we started to discuss here. we can impact the health care industry. we provide medical oxygen and things of that nature. we support other aspects of chemical and oil and gas production through the use of nature jammed that is used within the processes and then clean water, the availability of
9:04 am
chlorine to use in our wastewater treatment facilities is absolutely critical. so we are unique in a lot of ways that we may not be at the top of that critical infrastructure list, but we touch so many different people across the supply chain across our economy that we are in fact a very important part of the american economy. >> we want to now transition. we clearly see the interdependency that now access in dealing in particular the cyberthreat, we would like to get your perspectives, each of your perspectives first on information sharing and what that means to you because i think it has been cleared through the discussion we have had today that information sharing or one group or company or sector may be completely different for another.
9:05 am
said dennis, let's start with you from the electorate sector. what are the things unique premier sector's perspective to effect the blade manage cyberrisk? >> well, let me back up on not because at some point we talk about differences of unique name. we do have other threat sharing things set up by these verticals if you will. and once again we refer to ask on a selector. only one of the types of energy distribution of utilities we have. we had nuclear, gas, fossil fuel, wind and solar. and if you break that down, there's different organizations in different sharing aspects for each one of those and we also then have a trading floor and way of billing for customers. so we have interest from initial services sector. we can't do in response for either physical, cyberincidents
9:06 am
about a telecommunications partner so it's interesting to see the telecommunications and how that affects our networking and i.t. infrastructure as it works over the i.t. portion. from a chemical perspective company to the energy sector with quite a few chemicals used in our different generation aspects of the company. and so, that is the long way of saying that the sharing we have and in particular areas is good, but if you have an organization available for cybersecurity across the entire corporation from the information technology aspects to the cyberaspects and you have executive transportation whether its fleet or aircraft are things like that, whether it's a platform i.t. aspects, it is a lot of different sources of the herb nation coming in. a lot of times it is the actor with a different motivation coming after different asset but different asset with a different outcome that they are expected to have. that is why alluded to the interdependency is also is the
9:07 am
threat may also be coming at the same time from a financial perspective and not just after the energy grid. so it's really the challenge of getting to the aspects, bringing no sin in working across the organization. timeliness and really definitive is the way. if i was going to increase my wish list, one of the areas we talk about i think it's even admiral rogers taught about the maori types the attack about information sharing and maori types, indicators, the threat, those types of things. some of them are pro-iraq dave, but another valuable thing is that they must do these activities that i would like to see increased opportunities also get the bill signed them a good first step forward. but things like lessons learned from a best lessons learned, best practices, the department of defense and darpa spends millions of dollars in science and technology that would e-mail
9:08 am
a friend to our capabilities in the things we would like to deploy to prevent or detect these aspects of how many information technology are informational assets. that is one of the next steps. i don't only see her today or not, but i read a couple articles, david carrera on the political growth intact in one of his recent articles about the cyberthreat and the aspect of increasing the workforce, training and education, and been seen in security engineering. >> so information sharing, the common factor is that involved for a long time. they are our enemies out there like the national cybersecurity center coordination that we actually participate in. we literally have people on the floor hosted with dhs, work in information sharing in the communications sharing and analysis honor that shares
9:09 am
amongst up in the communications committee but also across sector sharing that goes on periodically through dhs. we also participate in a variety of third-party information sharing groups outside of governments, ad hoc groups that do what different types of cyberthreats. there are parties for a two purchase information from people like sober.word. there's a lot of information sharing. it could be better postmarked or maybe, but that is the stuff we are working on. it is an active thing today. in terms of the information shared, autofocus and i think admiral unders spoke about this today. depending on how you define it, it is not necessarily personal information. we're talking about ip addresses, things like the port number, the date, timestamp, technical information necessary if we thought that we do a lot of our cyberprotection, we say
9:10 am
what does it look like on a given day in a normal state of affairs and is there some sort of anomaly i'm a kennedy contributed to the cyberthreat? which i do look at things like the ip address, the pilot information, technical information to see if it is not in the stands out as an anomaly and is a jittery cyberthreat. it's not about looking at people's e-mails and information. it's more specifically a technical information. in terms of how information sharing can we approve, senator steinkamp and chambliss have talked about it today. we think that clearing out the legal framework around cybersecurity in particular would go a long way to enabling new capabilities of outlook information sharing. just as important as information sharing is what the legislation talked about explicitly authorizing it was like cyberthreat on a terrain and countermeasures are taken actions to stop the threats. a lot of what we do today is covered under exceptions for
9:11 am
network security and would like to move away from being the exception-based behavior to something that's more to encourage behavior that congress to send these are entities would like you to do so we have clarity and law around actually performing cybersecurity. >> we're going to come back to back, particularly from a legal perspective, regulatory perspective. but the outcome of financial services been around for pre-nine 9/11 certain is recognized as one of the most sophisticated from an information sharing perspective. what specifically does the access i sat due to encourage information sharing amongst its members on what is the relationship like with your government partners? >> well, the relationship is incredibly strong and part of that is because at the fact that we are co-located with law enforcement as well as dhs is
9:12 am
huge. it builds a trust network essentially between individuals. we are not unknown to hire some of those individuals in the financial services and moved to one desk over because of those relationships. so that is i think first and foremost be about that is done is enabled us to take information and make it more actionable as well because one of the things that i think it's accomplished is the financial services operator can tell the folks on the government side where the information has meaning and the meaning it does have and what actionable results are, not a providing that information. what is the to do list? not just hearsay threat, have a nice day. precisely what you can do related to that particular thread is huge. admiral rogers made an excellent point when he was talking about data versus intel. i think we have a problem that
9:13 am
is a nice problem to have to some degree of madness we are now faced with having so much data within the threat environment that it is hard to call through all that data to build and make determinations of what part of your environment is really impacted by a particular thread and then what should you be doing associated with that quiet so we recognize that. so some of you may be familiar with a couple of protocols. one is called tips, html for threat information. it allows you to essentially tag the threat information and much more easily determine what part of your environment is affected. the other protocol is called taxi and is essentially what it sounds like. it is the method by which the information can go from a to b., can go to a financial institution and the institution has tagged information
9:14 am
appropriately, essentially it can read computer to computer the threat information. that is something, which is a significant initiative within the financial services industry is going to migrate to the industry as well. it is becoming a standard and it makes sense for that to be one standard and have inability to talk to each other machine to machine. or we can spend more time doing the analytics and amid occasion and less time essentially trying to figure out what part of the privately impacts our environment. so in terms of our level of maturity, that is one of the most hopeful signs that i've seen in the course of the last three years is going for when you have information or get information from an institution can you throw a party to have so much information that you have to figure ways to automate it more effectively and by the way of working more closely with
9:15 am
their governmental partners and building joint products out of the bureau, for instance, the fbi alerts associated with various types of financial services are co-authored by the street. so that gives that much more flavor in terms of making it more easily understandable and more actionable. >> though, from the chemical sector standpoint, do you feel like you to actionable cyberthreat information ersatz relationships in your business to government relationships? >> right, what he said. so that is a good question because it is something that we are currently dealing with right now. mentioned earlier acc has a program that is the acronym for the chemical information technology center nsa program
9:16 am
established specifically for folks within the chemical industry that have a particular interest in cybersecurity. and like i mentioned, we have a cio roundtable at tv that brings all of the cios to gather within the chemical industry to share information and things of that nature. they are currently piloting a chemical icepack and not begin in the latter part of 2013 and continues today. we work closely with dhs, u.s. cert and one of the issues that they are really trying to wrestle down to the ground is how do you separate a week from the chaff then how can we get specific actionable information into the hands of the folks that really need to know this. it has been a challenge to really do that effectively.
9:17 am
i think we started out at a place where he was into overload and what happens is you start losing folks. all this data, all this information and it is hard to get to someone's interest when you are fit by fire hose. we're making progress in that area. we are not there yet. we look at how the voting middle to next year, middle of 2015 where we have a solid place where we can start to broadly stand out across the batterer chemical sector. >> you reach come from sectors which are really highly regulated. that as another layer of complexity earlier in our discussions this afternoon, admiral rogers had actually mentioned this. now you've got federal regulations to deal with the
9:18 am
many dates deal with many get to stay level, those of you who have utility commissions, et cetera to deal with. why do you wear that what are the multiple layers of a multilayered regulatory environment? how does it impact you from a cybersecurity standpoint in terms of protecting your network? >> one of the examples we could use for the energy sector at large is the author is underway true the anti-rc over the last five or six years to increase reliability of the great based on incidents of the past. at other protection program in place, operating against version three of that, which is an entire program that we need to go through to protect cyberassets. moving quickly we have a new version five that is in draft, that the ink is starting to dry anatomy had to implement a fully
9:19 am
by early 2016. for that is driving the entire industry. expands the scope to now looking at the operational assets and it really starts to look at opening the aperture of what is a cyberi said and not assuming that things in the generation area and distribution centers are eric at. now that we put many more things into the environment, we do a lot of things for efficiency perspective. we be industry is deploying more for books and addressing more opponents that you can do remote access to, even wireless access points from different substations in doing these things to increase reliability and decreased costs and provide better service and reliability. so all of those that are layered on top of the normal last fix we are looking now. the industry has focused for his longtime on a culture of safety.
9:20 am
the high-voltage areas have been injuries in some areas and generation plants and fatalities. they have implicated the safety across the entire energy sector from top to bottom. when you add the regulations, i think we are trying to shift a little bit and the organization is trying to get a culture of compliance because you have to comply with the regulations. cybersecurity guys are running to catch a. from a compliance perspective, the flight folks are his complaints to enable security. you can actually follow it through, but if you don't have a culture of cybersecurity across the aspects that come you don't see the bigger picture of what
9:21 am
the different threats are in the cascading effects from access management to patch management and those types about specs. so it really adds that level of complexity where trying to shift to the culture safety to a culture of cybersecurity and trying to raise the death from a compliance perspective. one of the other aspects we is where some of these across the industry for the regulatory bodies, you're actually let me to find if you suffer for. if you find something yourself and report it, then you are still find or give another remedial activity instead of being congratulated for going through process, find some into my fixing a insane okay, let's make sure you have the processes in place. so that is one of the aspects we've had conversations with including folks who are ridden
9:22 am
other aspects of dhs and other locations where this was originally started and i was one of the affects they wanted implemented in some of these regulatory bodies, but it is an artifact right now that we have to deal with and it does affect the performance from a security perspective and a compliance perspective. >> it is really interesting is a look at such is the transition to this marker among which is hopefully leading to more efficiencies, better services out of our home. we look where you guys are delivering all this mobile devices that folks want to make their lives easier, more convenient, more efficient. we open up on a set of vulnerabilities, which is complicating particularly to you from a regulatory standpoint. on one hand you regulators to hold the line on braves, et cetera while we find these new uses for all of these new
9:23 am
devices and methods for making mice more efficient. one of the challenges you are specifically seen from the com sector? >> most of the work we do around regulatory sanders is sent to the fcc system. it is actually a set of standards by industry. to give you background as a successful organization and the network reliability that started in early two thousands and ran for 2006. there were multiple sessions at the time. the sister was a successful organization in 2009 and is now currently throughout the process where we've taken best practice efforts adopted the previously identified cybersecurity standards. in 2011 we published the working group to put together cybersecurity best practice and identified 397 different
9:24 am
cyberpractices and now we currently undergoing a process to update or to basically confirm the cybersecurity framework. someone currently the chair of the wireline subgroup in the effort and we've been trained to pull together applying the risk management principles and said the framework. most of the work is done. currently it's a voluntary process, not regulatory oriented. we would like to see remain that way. obviously the idea of having regulation at the federal level in a all 50 states and potentially internationally is a daunting thing. i don't think it's an effective model for cybersecurity. our general thoughts on regulation and security has been a thoughts are currently changing. the best way to deal with cybersecurity and others who have spoken to this topic is the risk management. risk management. identify your core mission and what the risk constantly
9:25 am
involved floriculture risk management, not some rigid checklists you have to comply within the concern with the two d. extent the government encourages my regulatory standards regime, you'll end up rejecting people who would be dealing with drives to kind of grew compliance behavior and i'm not sure that's the incentive you want to put in place. >> to concern being the lawyers take over cybersecurity. not that they are not an important element, but it dealing with the threat as a current evolving of your plan to deal with what you are seen to something that is i've got to do this and i'm not sure that's where we want to be. >> one comment with heads nodding affirmatively as compliance does not equal security. so that is a culture changes you are saying. doug for the financial services that are standpoint, how was it
9:26 am
through the financial services, how we present urging resiliency, not just compliance in the financial services set your? >> it is fairly well taken a regulatory process as well because there is a recognition as it relates to a lot of things in financial services, talking about information security and data security, which is a subcomponent that it has to be risk management based and i think that obviously one's self towards the environment we are talking about where you can continuously review how you are doing, what the threats are, the measures against those threats, what is your risk you haven't been able to address quite how are you now going to address it because it is a new risk? that is always the environment. that's never going to change. we become more sophisticated, not less sophisticated.
9:27 am
the arch is going to be as we try to deal with the enhanced scrutiny from all these different levels to maintain that kind of culture from a regulatory standpoint. we have increased interest by the states, particularly the state of new york in terms of the securities firms and commercial banks are doing massive relates to a third-party risk management. we have continual increasing interest from the european union and from other national entities as well. one of the good things is the e.u. is particularly interested right now in the cybersecurity framework and you heard from adam sedgwick earlier coordinating the work that has been accomplished right now in the e.u. to understand how this remark might have meaning not just within financial services
9:28 am
oversees but other cybersecurity regimes and sectors as well. so i think that is going to be incredibly important to try to ensure we have this great of uniformity as possible through what you're suggesting because you not only have to look towards the states and eyeball the federal level, but also the international level as well, which is going to be an increasing challenge and they are about a year behind. to the extent we can take the lessons of the united states and apply them appropriately overseas will be well served. we have enough challenge to ensure the states, the fcc, the federal reserve and the fdic and the national controller of the currency are on the same page as the release to these things than 18 to deal with as it released to these things. sometimes they act in concert.
9:29 am
when they act upon, that could be problematic on occasion. >> sometimes it's difficult to see where we've made progress on the radio tories stand point. looking out for the chemical sector standpoint, with a chemical facility antiterrorism standards program with the industry has gone through quite the ring or in terms of complying with the radio to a standard of whether or not it was followed up on from the dhs perspective was in question. that is another layer you are having to deal with. >> absolutely. i think they said they experience for us really demonstrates the cautionary tale for policy makers out there who think that they want to regulate the industry and go too far, particularly in the cybersecurity from. i kind of look at it as a
9:30 am
cyberstatic approach to fix a dynamic threat that exists out there today. i echo the comments of my colleagues appear on the panel. the right approach to this is a risk management approach. one of the ways that the acc deals with this from my is through our responsible care program. responsible care is a continuous improvement program. it's required of our entire membership. we require third-party audits on a regular basis and since 2001, we have a security code elements added to that in which address the cybersecurity as well. we are currently taking the framework in doing a mapping exercise. we are identifying gaps and so we can better bring our code up to current state of technology

11 Views

info Stream Only

Uploaded by TV Archive on